\section{Usage of the TOR Network}
\begin{frame}{Usage of the TOR Network}
\begin{figure}[b]
	\centering
		\includegraphics[width=10cm]{images/usage-stat.png}
\end{figure}
\footnotesize{(source: http://www.loadpdf.com/Shining-Light-in-Dark-Places:-Understanding-the-Tor-Network.html)}
\end{frame}

\begin{frame}{Usage of the TOR Network}
\begin{figure}[b]
	\centering
		\includegraphics[width=8cm]{images/usage-stat2.png}
\end{figure}
\footnotesize{(all numbers in GB, source: http://www.loadpdf.com/Shining-Light-in-Dark-Places:-Understanding-the-Tor-Network.html)}
\end{frame}

\begin{frame}{Usage of the TOR Network}
\textbf{One moment! TOR is anonymous, how did they collect this data?}
\end{frame}

\begin{frame}{Usage of the TOR Network}
\textbf{They simply ran an exit server for some time and created the stats.\newline\newline
However, no personal data was stored (of course).}
\end{frame}

\section{Deanonymization}
\begin{frame}{Deanonymization - Exit Servers}
\begin{itemize}
	\item server sees traffic if unencrypted (recall the stats: 411GB HTTP vs. 11GB TLS traffic)
	\item exit servers are picked first according to exit policy (allowed ports)
	\item $\rightarrow$ server can decide which traffic to attract
	\item $\rightarrow$ only allow insecure protocols like POP3, HTTP, etc. and read passwords (perfectly good sniffer)
	\item (rember http://panopticlick.eff.org? $\rightarrow$ use Pivoxy)
\end{itemize}
\end{frame}

\begin{frame}{Deanonymization - Example Facebook}
\begin{itemize}
\item by default facebook uses http instead of https
\item perfect MITM (can steal cookies etc.)
\end{itemize}
\begin{figure}[b]
	\centering
		\includegraphics[width=8cm]{images/mitm.png}
\end{figure}
\end{frame}

\begin{frame}{Deanonymization - TOR Traffic}
\begin{itemize}
\item TCP streams are anonymized (not packets)
\item multiplexing of several TCP streams over one tunnel ("`one bad apple spoils the bunch"')
\item (established circuit is used for all new connections within the next 10 minutes)
\item cells with fixed size (padded if neccessary)
\item $\rightarrow$ however, analysis of traffic patterns possible
\end{itemize}
\end{frame}

\begin{frame}{Deanonymization - TOR Traffic}
\begin{itemize}
\item BitTorrent normaly leaks your real IP
\item origin can not be determined if one node is not compromised
\end{itemize}
\end{frame}

\begin{frame}{Detecting a Sniffer}
\begin{itemize}
\item sniffers often perform reverse DNS lookups
\item deliberately connect to an IP under own DNS authority
\item $\rightarrow$ track reverse lookups on own DNS server
\end{itemize}
\begin{figure}[b]
	\centering
		\includegraphics[width=8cm]{images/dns.png}
\end{figure}
\footnotesize{(source: http://www.loadpdf.com/Shining-Light-in-Dark-Places:-Understanding-the-Tor-Network.html)}
\end{frame}